I'm the sole administrator for a small non-profit that's collaborating with a larger organization. We're transitioning to a new local domain with Entra integration to utilize the security features required for our cyber security compliance from the larger organization. My users log in through ad.myorg.com, but we also receive free Office 365 access through the larger organization (largeorg.com), for which I don't have admin rights. Generally, things run smoothly; users log in to ad.myorg.com, but I sometimes have to remind them to use their largeorg.com credentials when accessing O365. The trouble comes when it unpredictably tries to log in with their ad.myorg.com accounts, especially with the new domain transition. I've heard suggestions about becoming a tenant in their Active Directory, but our Director prefers to keep everything separate. Has anyone navigated a similar setup? What alternatives can I consider to streamline this process? Thanks in advance for any insights!
3 Answers
So, it sounds like the problem might stem from the user principal names (UPN) not lining up between your AD and Entra. Try adding the UPN suffix to your AD domain to ensure they match. That could help clear up some of the login issues you're facing.
I came across a preview feature from Microsoft that might help you out. Check out their guide on how to use email sign-in: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-use-email-signin. It might streamline transitions between accounts.
I'm curious though—if I use a largerorg.com email as a Proxy Address, won't it just default to logging in with the ad.myorg.com account instead? I need them to sign in with their largerorg.com accounts for O365 and keep their myorg.com accounts for workstations.
Have you considered asking the larger organization to include you in their setup with AAD Connect? That way, you'd manage a single source of truth for identities, plus you'd get some password management features. I know it can be a security concern, but it might ease some of the headaches you've mentioned.
Yes, they did offer us a tenant or an OU, but our director insists on keeping everything distinct, even if it means more headaches.
But just to clarify, the UPN suffixes are already matching. The issue arises because the O365 accounts are separate and not managed by you, which complicates things.